Description
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage mlanguage allows Stored XSS.This issue affects mLanguage: from n/a through <= 1.6.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw that permits an attacker to inject scripts that become stored in the WordPress site. When a legitimate admin or authenticated user unknowingly processes a forged request, the attacker’s payload is saved and subsequently executed for all visitors. This stored XSS can lead to defacement, credential theft, cookie theft, or session hijacking. The weakness is associated with CWE-352.

Affected Systems

Alexander Rauscha's mLanguage plugin for WordPress, versions up to and including 1.6.1, is affected. Any WordPress instance using an installed plugin version <= 1.6.1 is vulnerable. No additional version restrictions were provided.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high impact and moderate exploitation complexity. The EPSS score is below 1%, suggesting that exploitation has been observed infrequently so far, and the vulnerability is not present in CISA’s KEV catalog. Attackers could perform the exploit by provoking an authenticated user to visit a crafted link or submit a forged form that triggers the malicious XSS via the plugin’s endpoints. Successful exploitation depends on the victim’s authentication status and access to the problematic plugin functionalities.

Generated by OpenCVE AI on April 30, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the mLanguage plugin to the latest available version, at minimum to 1.6.2 if it exists.
  • If the plugin is not required for site functionality, remove or deactivate it entirely.
  • Ensure that all WordPress forms, especially those interacting with the mLanguage plugin, enforce strict CSRF token validation, monitor incoming requests for suspicious patterns involving the plugin’s endpoints, and apply the core Nonce mechanism to prevent forged requests.

Generated by OpenCVE AI on April 30, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11582 Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage allows Stored XSS. This issue affects mLanguage: from n/a through 1.6.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage allows Stored XSS. This issue affects mLanguage: from n/a through 1.6.1. Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage mlanguage allows Stored XSS.This issue affects mLanguage: from n/a through <= 1.6.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage allows Stored XSS. This issue affects mLanguage: from n/a through 1.6.1.
Title WordPress mLanguage plugin <= 1.6.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:31.251Z

Reserved: 2025-04-16T06:23:15.163Z

Link: CVE-2025-39430

cve-icon Vulnrichment

Updated: 2025-04-17T15:50:44.132Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:53.167

Modified: 2026-04-23T15:29:32.380

Link: CVE-2025-39430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:30:02Z

Weaknesses